10 best practice suggestions for common smartphone threats



Similar documents
The great debate: Corporate vs. personal liability for smartphones and tablet devices in the workplace

Securing mobile devices in the business environment

10 Quick Tips to Mobile Security

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

IBM Endpoint Manager for Mobile Devices

How to Secure Your Environment

Internet threats: steps to security for your small business

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

How To Protect Your Mobile Device From Attack

Successful Mobile Deployments Require Robust Security

Mobile Device Management

Guideline on Safe BYOD Management

Securing Corporate on Personal Mobile Devices

Use Bring-Your-Own-Device Programs Securely

Symantec Mobile Management 7.1

Enabling Staff with Secure Mobile Technology in an Increasingly Risky World

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

SECURING TODAY S MOBILE WORKFORCE

Conducting a Risk Assessment for Mobile Devices

Security Practices for Online Collaboration and Social Media

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Embracing BYOD. Without Compromising Security or Compliance. Sheldon Hebert SVP Enterprise Accounts, Fixmo.

Reducing the cost and complexity of endpoint management

Kaspersky Security for Mobile

The Risks and Rewards of Social Media and Mobile Devices

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

National Cyber Security Month 2015: Daily Security Awareness Tips

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Don t Lose the Data: Six Ways You May Be Losing Mobile Data and Don t Even Know It

Symantec Mobile Management 7.1

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Why Encryption is Essential to the Safety of Your Business

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

Endpoint Security More secure. Less complex. Less costs... More control.

Mobile Security: Top Five Security Threats for the Mobile Enterprise and How to Address Them

Mobile Security: Controlling Growing Threats with Mobile Device Management

A Guide to MAM and Planning for BYOD Security in the Enterprise

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

Bring Your Own Device. Individual Liable User Policy Considerations

White Paper. Data Security. The Top Threat Facing Enterprises Today

Bring Your Own Device (BYOD) and Mobile Device Management. tekniqueit.com

Mobile Device Strategy

Bring Your Own Device (BYOD) and Mobile Device Management.

Trust Digital Best Practices

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

Symantec Mobile Management 7.2

Mobile Device Security

Choose Your Own Device (CYOD) and Mobile Device Management. gsolutionz.com

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

Mobile Security BYOD and Consumer Apps

Samsung Mobile Security

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Cloud Backup and Recovery for Endpoint Devices

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

The Cloud App Visibility Blindspot

Information Security: A Perspective for Higher Education

Symantec Mobile Management 7.2

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Securing end-user mobile devices in the enterprise

TMCEC CYBER SECURITY TRAINING

Secure Your Mobile Workplace

ForeScout CounterACT. Continuous Monitoring and Mitigation

How-To Guide: Cyber Security. Content Provided by

Symantec Mobile Management for Configuration Manager 7.2

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

BYOD Policy Implementation Guide. February 2016 March 2016

Chris Boykin VP of Professional Services

Codeproof Mobile Security & SaaS MDM Platform

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Mobility, Security Concerns, and Avoidance

Cyber Security. John Leek Chief Strategist

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

WHITE PAPER. Mobile Security. Top Five Security Threats for the Mobile Enterprise and How to Address Them

Securing Office 365 with MobileIron

Best Practices for Secure Mobile Access

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

Managing and Securing the Mobile Device Invasion IBM Corporation

BYOD PARTNER QUESTIONS YOU SHOULD ASK BEFORE CHOOSING A. businessresources.t-mobile.com/resources. A Buyer s Guide for Today s IT Decision Maker

Data Loss Prevention in the Enterprise

Data Protection Act Bring your own device (BYOD)

ENTERPRISE MOBILITY USE CASES AND SOLUTIONS

Network Security Report:

Mobile First Government

The ForeScout Difference

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

Five Best Practices for Secure Enterprise Content Mobility

Mobile Devices in Healthcare: Managing Risk. June 2012

BYOD: End-to-End Security

Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations

Data Security Best Practices & Reasonable Methods

Protecting Content and Securing the Organization Through Smarter Endpoint Choices

The User is Evolving. July 12, 2011

Protecting Android Mobile Devices from Known Threats

Bring Your Own Device (BYOD) and Mobile Device Management

Cisco BYOD Smart Solution: Take a Comprehensive Approach to Secure Mobility

Transcription:

10 best practice suggestions for common smartphone threats Jeff R Fawcett Dell SecureWorks Security Practice Executive M Brandon Swain Dell SecureWorks Security Practice Executive

When using your Bluetooth headset, others can easily listen to phone conversations, make calls, and of course download your data. Why would you secure the smartphone but leave this avenue via the Bluetooth headset open? Executive summary Today s smartphones and tablets represent the easiest means for a hacker to gain access to your corporate network. According to security vendor McAfee, the number of pieces of mobile malware grew by 46 percent in 2010, many of them on Nokia Symbian and Google Android platforms. At the same time, Forester Research reports that 37 percent of workers recently surveyed said they ve used their own smartphones for work. Smartphones lack an operating system as robust as a Windows or Linux. So protecting the devices is much more difficult as they have fewer API s and functionality. Organized crime and nation states are focusing on smartphones since it s much easier to get the data they want. In this white paper we will discuss some of the most common threats and suggest high level best practices that will help mitigate risks. Introduction The IT department has a big problem. Across the enterprise, smartphones are replacing or complementing computers, creating new security vulnerabilities. Smartphones run on up to 10 mobile operating systems today, with security-related products that offer varying capabilities depending on the device and mobile OS used. Then there s a lack of education and awareness. At a recent IT Operations and Security conference, an attendee asked if the anti-virus software protected credit card and bank information stored on their phones and mobile devices, which it does not do. If an experienced IT person does not understand mobile device security, how can end users be expected to understand the risks associated with their smartphones and other mobile devices? Threats and counter measures topics Below are 10 of the more common threats associated with smartphones and mobiles devices, along with best practices to help mitigate risks. 1) Wi-Fi Man-in-the-Middle Attacks This means of attack is popular and effective today in coffee shops, bars, restaurants and airports that offer wireless Internet access without a password. In this environment, anyone else on the same network can hack your device in less than five minutes, downloading all your data, email, contacts, and files unless the data is encrypted. Even without hackers present, other devices, such as laptops, tablets, and smartphones infected with malware can search for other vulnerable devices, infect them, and send information on back to the hacker. Recommendation: Turn off your Wi-Fi unless you are at work or at home. Use a Mobile VPN product if your company has one. If you are encrypting your desktop/laptop, include the contents of your smartphone. Unfortunately, most smartphones purchased today have little or no encryption capability. 2) Bluetooth Man-in-the-Middle Attacks When using your Bluetooth headset, others can easily listen to phone conversations, make calls, and of course download your data. Why would you secure the smartphone but leave this avenue via the Bluetooth headset open? Recommendation: Unless you are using an encrypted Bluetooth headset the overwhelming majority are not encrypted turn off Bluetooth and use a wired headset. Again, as a general recommendation, if you are encrypting your desktop or laptop, an encrypted Bluetooth headset is appropriate. 2

3) Lack of Awareness and Standardized Policies Many security breaches, for mobile devices as well as laptops and desktops, occur because users don t understand the risks associated with everyday actions. Recommendation: Create and maintain a portable media and device policy to describe expected employee behavior. Create an End User Acceptance Policy that contains clear requirements and expectations for mobile devices, including corporate-owned as well as personal-owned devices that are allowed to access enterprise resources. Educate all users on the content of these policies on a recurring basis, and update each as necessary to respond to the changing mobile device landscape. 4) Compromised Devices and Open Gateways Stolen phones and devices login to company networks every day, exposing corporate data to unauthorized disclosure or modification. Recommendation: Use a mobile NAC (Network Access Control) software solution that authenticates, reviews, and compares devices to your policies before allowing them into the corporate environment. Blocked devices that fail to meet the policy requirements can be quarantined to a site outside the DMZ. IT should require registration of employeeowned devices that will access corporate resources. Many security breaches, for mobile devices as well as laptops and desktops, occur because users don t understand the risks associated with everyday actions. 5) Social Media Vulnerabilities: Advanced and persistent hackers use social sites to collect data about you, your network of colleagues, and friends to create targeted and malicious emails. The personal info posted on these sites is used to help create a relationship of trust, in hopes that you ll open an email link connected to an infected web site. Recommendation: Limit your employees exposure on social sites by discouraging them from sharing personal data and closely reviewing friend requests and emails. Instruct them to never click on links in an email from people they haven t met personally - and even then, be wary. 6) Unprotected Corporate Data: Do you know what data should be protected and where it is physically located? If not, you re not alone. Most companies fail to perform any data classification and location assessments. The importance of data classification and appropriate security controls, like encryption and Data Leak Prevention (DLP) systems cannot be emphasized enough. Recommendation: Perform a DLP storage assessment to understand where your key data and intellectual property sits. Implement controls appropriate to the risk of data loss. 7) IT Compliance Failures: Even as more corporate data is stored on personal devices, many companies have not adequately assessed the risks of allowing personal devices in their environment. Likewise, they fail to understand or implement the appropriate controls to ensure compliance with regulatory and corporate governance requirements. Recommendation: Review your company s governance requirements and the organizational risk appetite as part of an overall approach to mobility security. Implement appropriate tools, including mobile device management solutions to deploy and enforce corporate mobile policies. Secure mobile messaging to encrypt corporate email on mobile devices. And secure mobile application development tools, which deliver mobile applications in encrypted containers to prevent unauthorized access. Each of these solutions allow for the remote deletion of corporate information from lost or stolen mobile devices. 3

Viruses continue to spring up from untrusted marketplace applications. Current anti-virus software is only half as effective as needed. And free mobile applications are making their way in greater numbers to users with buried malware. 8) Unmanaged Mobile Devices: Mobile devices left unmanaged by IT expose the corporate environment to excessive risk, including data leakage through connection to unauthorized networks and Bluetooth devices. Lax security controls may allow unauthorized access to corporate information if a device is lost or stolen. Recommendation: Implement a Mobile Device Management solution to provide centralized management and enforcement of corporate policies, password requirements, hardware and device control, certificate management, reporting, and problem alerting. 9) Smartphone Viruses: Viruses continue to spring up from untrusted marketplace applications. Current anti-virus software is only half as effective as needed. And free mobile applications are making their way in greater numbers to users with buried malware. The historic, signature-based approach to anti-virus is not likely to be effective for mobile devices. Recommendation: Companies should take a multi-tiered approach to securing their mobile devices. Implement a device management solution to manage security policies. Many device management solutions support allowing/blocking specific applications. Some solutions allow organizations to restrict application downloads to a private marketplace that contains only approved, reviewed applications. Use an encrypted email solution to prevent access to corporate email data in the event that a malicious application copies the device contents to a remote location. 10) Short Message Service (SMS) Attacks: Short text messages to phones and other mobile devices have increasingly become a vehicle for malware. It is one of the easiest ways to infect a phone. If the user clicks on a specially crafted message, malware can be deployed to the phone providing full remote control of the device. Recommendation: Encrypt the phone s memory and storage. Use security software that blocks this type of malware or turn off SMS if security is more important than this convenience. While these 10 threats are more common in a corporate setting, others provide equal concern, such as geolocation tracking. This privacy concern might expose a user to property crimes someone robs your house when they know you aren t there or personal crimes in which a person s location can be used to direct an assault. Jailbroken phones represent an additional level of risk. The jailbreak process itself is an exploitation of vulnerability in the device, and there are no guarantees that the groups who craft the jailbreak exploits do not load malicious software as part of the process. Jailbroken phones represent further risk to the corporate environment, since applications can be created to report back false results to the device management systems and other security tools in use in a corporate environment. Recommendation: Educate users on the dangers of geolocation and other features of their mobile devices. Ensure that corporate policy prohibits the use of jailbroken devices in the corporate environment, and implement device management tools that can identify and report on jailbroken devices. While mobile devices bring a new set of risks to your corporate environment, they can also improve productivity, build morale, and help establish a work/life balance that attracts and retains the talent needed to help your company succeed. The key is an ongoing practice of governance, education and awareness. 4

Bios: Jeff Fawcett is a Security Practice Executive at Dell working with customers at the Strategy, Risk, and Architectural levels related to Mobility Security. He recently was the Director of Symantec s Federal Consulting Group where he also ran the Federal Cyber Threat Analyst Team. Before that he was Director of Altiris Consulting and VP of Consulting for Novell where he helped start up their SSO, DirXML, and eprovision practices. A mixed background of 10 years in Consulting, 10 years as a Systems Engineer, and 10 years in Sales provides a unique perspective in the security area. Brandon Swain is a Security Practice Executive and founding leader of Dell s Enterprise Mobility Security Services. He was recently the Chief Information Security Officer for Parsons, a global engineering and construction management firm, where his responsibilities included establishing and maintaining security programs for Parsons projects for US Government projects as well as commercial projects in the financial services and healthcare sector. Prior to that, he was a Systems Integration and Security consultant for Dell Services. Short text messages to phones and other mobile devices have increasingly become a vehicle for malware. It is one of the easiest ways to infect a phone. Dell and its affiliates cannot be responsible for errors or omissions in typography or photography. Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporation in the United States and/or other countries. Dell and the Dell logo are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims proprietary interest in the marks and names of others. 2011 Dell Inc. All rights reserved. August 2011 CommonSmartphoneThreats_WP.indd Rev. 1.0 20110815BROB 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information